PDA

View Full Version : Troubleshooting...



Medyman
05-23-2007, 06:54 PM
I'm trying to set up a PHP/MySQL/Flash interaction...

I want to test if the php is working or if the problem is within flash... Is there a way to test if this is working w/o the appropriate interface? I.e. adding certain variables to the URL or something like that...

Code:

<?
require_once('conf.inc.php');
require_once('functions.php');
// ---
// register new user
// ---
function register($username,$pass,$email,$question,$answer)
{
GLOBAL $db, $table;
$username = trim($username);
$pass = trim($pass);
$email = trim($email);
$question = addslashes(trim($question));
$answer = addslashes(trim($answer));
$validEmail = valid_email($email);
$validName = valid_userName($username);
$validPass = valid_password($pass);
if(!$validName) return "error=invalid name";
if(!$validPass) return "error=invalid password";
if(!$validEmail) return "error=invalid email";
$pass = md5(trim($pass));
// all checks ok
$query = @mysql_query("INSERT INTO $table (userName,userPassword,userMail,userQuestion,userAnswer) VALUES "
."('$username','$pass','$email','$question','$answer')");
if(!$query)
{
return "error=" . mysql_error();
} else {
return "user=ok";
}
}

// ---
// login, check user
// ---
function login($username,$pass)
{
GLOBAL $db,$table;
$username = trim($username);
$pass = md5(trim($pass));
$query = mysql_query("SELECT * FROM $table WHERE userName = '$username' AND userPassword = '$pass'");
return mysql_num_rows($query);
}

// ---
// forget password
// ---
function forget($email)
{
GLOBAL $db,$table;
$email = trim($email);
$query = mysql_query("SELECT userName, userQuestion from $table WHERE userMail = '$email'");
if(mysql_num_rows($query)<1)
{
return "error=email not present into database";
}
$row = mysql_fetch_array($query);
return "userName=$row[userName]&userQuestion=" . stripslashes($row['userQuestion']);
}

// ---
// generate new password
// ---
function new_password($username,$email,$answer)
{
GLOBAL $db,$table;
$username = trim($username);
$email = trim($email);
$answer = addslashes(trim($answer));
$query = mysql_query("SELECT * FROM $table WHERE userName = '$username' AND userMail = '$email' AND userAnswer = '$answer'");
if(mysql_num_rows($query) < 1)
{
return "error=wrong answer";
}
$rand_string = '';
// ---
// generating a random 8 chars lenght password
// ---
for($a=0;$a<7;$a++)
{
do
{
$newrand = chr(rand(0,256));
} while(!eregi("^[a-z0-9]$",$newrand));
$rand_string .= $newrand;
}
$pwd_to_insert = md5($rand_string);
$new_query = mysql_query("UPDATE $table SET userPassword = '$pwd_to_insert' WHERE userName = '$username' AND userMail = '$email'");
if(!$new_query)
{
return "error=unable to update value";
}
return "userName=$username&new_pass=$rand_string";
}

// ---
// decisional switch
// ---
if(isset($HTTP_POST_VARS["action"]))
{
switch($HTTP_POST_VARS["action"])
{
case "register":
$result = register($HTTP_POST_VARS['username'],$HTTP_POST_VARS['pass'],$HTTP_POST_VARS['email'],$HTTP_POST_VARS['question'],$HTTP_POST_VARS['answer']);
print $result;
break;
case "login":
$result = login($HTTP_POST_VARS['username'],$HTTP_POST_VARS['pass']);
print "user=" . $result;
break;
case "forget":
$result = forget($HTTP_POST_VARS['email']);
print $result;
break;
case "new_password":
$result = new_password($HTTP_POST_VARS['username'],$HTTP_POST_VARS['email'],$HTTP_POST_VARS['answer']);
print $result;
break;
}
}
?>

when I run it..nothing comes on the page, which I assume is a good sign that it worked but I'd like to see if it there is a way to manually check in the database if an entry comes up.



Note: This is not my own script, obviously. It belongs to Alessandro Crugnola @ sephiroth.it.

thetestingsite
05-23-2007, 07:04 PM
You can make an HTML form like so:



<form action="test.php" method="POST">
<input type="hidden" name="action" value="register">
Username: <input type="text" name="username"> <br>
Password: <input type="text" name="pass"> <br>
Email: <input type="text" name="email"> <br>
Question: <input type="text" name="question"> <br>
Answer: <input type="text" name="answer"> <br>
<input type="submit" value="Test Script">
</form>


That will test the register function of the script, other than that you will not be able to place anything in the url (because the PHP script request POST variables).

Hope this helps.

hanji
05-25-2007, 09:29 PM
Watch yourself with that script. You processing page specifically register() function call is not inspecting client input. I would say you'd be open to SQLInjection attack and someone could force an unauthenticated login.

I would look at mysql_real_escape_string() (http://us.php.net/manual/en/function.mysql-real-escape-string.php).

hanji

Medyman
05-25-2007, 10:06 PM
Watch yourself with that script. You processing page specifically register() function call is not inspecting client input. I would say you'd be open to SQLInjection attack and someone could force an unauthenticated login.

I would look at mysql_real_escape_string() (http://us.php.net/manual/en/function.mysql-real-escape-string.php).

hanji


Thanks for the warning. I did notice that earlier and have fixed it since.

StarrRider
05-25-2007, 10:20 PM
I might be missing something - but why don't you just load your phpinfo.php file. Every system I've seen has one and if they don't - just create a text file with

<? phpinfo();?>
in it. It will give you the status of your server and the dbase

hanji
05-25-2007, 10:27 PM
I might be missing something - but why don't you just load your phpinfo.php file. Every system I've seen has one and if they don't - just create a text file with

<? phpinfo();?>
in it. It will give you the status of your server and the dbase

I thought he wanted to know if his specific PHP script was working vs if PHP itself was working on the server. Sorry if I'm jumping to conclusions.

hanji

Medyman
05-25-2007, 11:13 PM
I thought he wanted to know if his specific PHP script was working vs if PHP itself was working on the server. Sorry if I'm jumping to conclusions.

hanji

You were right. I was indeed asking for the status of this particular script.

StarrRider
06-03-2007, 02:12 AM
Good point. I missunderstood.